Extends the DIS scanner and its shared permission-rules lib with two
documented Claude Code permission footguns. Verified verbatim against
code.claude.com/docs/en/permissions (fetched 2026-06-19).
- lib/permission-rules.mjs: new isIneffectiveAllowGlob(entry) — unanchored
tool-name globs in permissions.allow (`*`, `B*`, `mcp__*`) that CC silently
skips ("does not auto-approve anything"); valid only as a glob-free
`mcp__<server>__*`. Shared with CNF.
- lib/permission-rules.mjs: dominates() now treats the `Tool(*)` deny-all glob
as equivalent to a bare deny (covers a bare allow) — CC: "Bash(*) is
equivalent to Bash ... both forms remove the tool from Claude's context".
- DIS: new finding "Ineffective allow wildcard — Claude Code ignores this rule"
(low, permissions-hygiene, CA-DIS-NNN); the existing dead-allow finding now
also catches a bare allow killed by a Tool(*) deny.
- 9 new tests (5 lib, 4 DIS) + 2 fixtures (force-added past .gitignore .claude/).
Suite 903 -> 912. Snapshot unchanged, contamination grep clean. README/CLAUDE/
scanner-internals document the broadened DIS mandate; test badge synced.
self-audit: PASS, configGrade A 96, pluginGrade A 100, readme gate passed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
134 lines
5 KiB
JavaScript
134 lines
5 KiB
JavaScript
import { describe, it } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import {
|
|
parseRule,
|
|
paramMatches,
|
|
dominates,
|
|
rulesIntersect,
|
|
isIneffectiveAllowGlob,
|
|
} from '../../scanners/lib/permission-rules.mjs';
|
|
|
|
describe('permission-rules — parseRule', () => {
|
|
it('bare tool → param null', () => {
|
|
assert.deepEqual(parseRule('Bash'), { tool: 'Bash', param: null });
|
|
});
|
|
|
|
it('param-qualified tool → tool + param', () => {
|
|
assert.deepEqual(parseRule('Bash(npm:*)'), { tool: 'Bash', param: 'npm:*' });
|
|
});
|
|
|
|
it('domain rule → tool + param', () => {
|
|
assert.deepEqual(parseRule('WebFetch(domain:example.com)'), {
|
|
tool: 'WebFetch',
|
|
param: 'domain:example.com',
|
|
});
|
|
});
|
|
|
|
it('non-string → tool null', () => {
|
|
assert.equal(parseRule(null).tool, null);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — paramMatches (glob)', () => {
|
|
it('wildcard matches any suffix', () => {
|
|
assert.equal(paramMatches('domain:*', 'domain:good.com'), true);
|
|
assert.equal(paramMatches('npm:*', 'npm:install'), true);
|
|
});
|
|
|
|
it('exact literal matches', () => {
|
|
assert.equal(paramMatches('domain:good.com', 'domain:good.com'), true);
|
|
});
|
|
|
|
it('distinct literals do not match', () => {
|
|
assert.equal(paramMatches('domain:evil.com', 'domain:good.com'), false);
|
|
assert.equal(paramMatches('model:opus', 'model:sonnet'), false);
|
|
});
|
|
|
|
it('literal pattern does not match a wildcard value', () => {
|
|
assert.equal(paramMatches('domain:good.com', 'domain:*'), false);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — dominates (deny fully covers allow → dead allow)', () => {
|
|
it('bare deny covers any param-qualified allow', () => {
|
|
assert.equal(dominates('Bash', 'Bash(npm:*)'), true);
|
|
});
|
|
|
|
it('exact param deny covers identical allow', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent(model:opus)'), true);
|
|
});
|
|
|
|
it('wildcard deny covers matching literal allow', () => {
|
|
assert.equal(dominates('WebFetch(domain:*)', 'WebFetch(domain:example.com)'), true);
|
|
});
|
|
|
|
it('distinct param deny does NOT cover a different param allow (the false positive)', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent(model:sonnet)'), false);
|
|
assert.equal(dominates('WebFetch(domain:evil.com)', 'WebFetch(domain:good.com)'), false);
|
|
});
|
|
|
|
it('specific deny does NOT cover a bare allow (sonnet still allowed)', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent'), false);
|
|
});
|
|
|
|
it('deny-all glob Tool(*) covers a bare allow (Bash(*) ≡ bare Bash deny)', () => {
|
|
// CC: "Bash(*) is equivalent to Bash ... As a deny rule, both forms remove
|
|
// the tool from Claude's context." So Bash(*) deny kills a bare Bash allow.
|
|
assert.equal(dominates('Bash(*)', 'Bash'), true);
|
|
assert.equal(dominates('Bash(*)', 'Bash(npm:*)'), true);
|
|
});
|
|
|
|
it('different tools never dominate', () => {
|
|
assert.equal(dominates('Bash', 'Read'), false);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — isIneffectiveAllowGlob (CC silently skips these allow entries)', () => {
|
|
it('unanchored tool-name globs are ineffective', () => {
|
|
assert.equal(isIneffectiveAllowGlob('*'), true);
|
|
assert.equal(isIneffectiveAllowGlob('B*'), true);
|
|
assert.equal(isIneffectiveAllowGlob('mcp__*'), true);
|
|
assert.equal(isIneffectiveAllowGlob('mcp__*__foo'), true); // glob in server segment
|
|
});
|
|
|
|
it('MCP globs anchored to a literal server are valid (not flagged)', () => {
|
|
assert.equal(isIneffectiveAllowGlob('mcp__puppeteer__*'), false);
|
|
assert.equal(isIneffectiveAllowGlob('mcp__github__get_*'), false);
|
|
});
|
|
|
|
it('non-glob and specifier forms are valid (not flagged)', () => {
|
|
assert.equal(isIneffectiveAllowGlob('Bash'), false); // legit match-all-tool allow
|
|
assert.equal(isIneffectiveAllowGlob('mcp__puppeteer'), false); // legit match-all-server
|
|
assert.equal(isIneffectiveAllowGlob('Bash(npm run *)'), false);// glob inside specifier is fine
|
|
assert.equal(isIneffectiveAllowGlob('Read(src/**)'), false);
|
|
});
|
|
|
|
it('non-string → false', () => {
|
|
assert.equal(isIneffectiveAllowGlob(null), false);
|
|
assert.equal(isIneffectiveAllowGlob(undefined), false);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — rulesIntersect (cross-scope conflict)', () => {
|
|
it('exact same rule intersects', () => {
|
|
assert.equal(rulesIntersect('Bash(npm run *)', 'Bash(npm run *)'), true);
|
|
});
|
|
|
|
it('bare tool intersects any param of same tool', () => {
|
|
assert.equal(rulesIntersect('Bash', 'Bash(npm:*)'), true);
|
|
assert.equal(rulesIntersect('Agent(model:opus)', 'Agent'), true);
|
|
});
|
|
|
|
it('wildcard intersects matching literal (currently a false negative)', () => {
|
|
assert.equal(rulesIntersect('WebFetch(domain:*)', 'WebFetch(domain:good.com)'), true);
|
|
assert.equal(rulesIntersect('WebFetch(domain:good.com)', 'WebFetch(domain:*)'), true);
|
|
});
|
|
|
|
it('distinct literal params are disjoint (no conflict)', () => {
|
|
assert.equal(rulesIntersect('Agent(model:opus)', 'Agent(model:sonnet)'), false);
|
|
});
|
|
|
|
it('different tools never intersect', () => {
|
|
assert.equal(rulesIntersect('Read', 'Write'), false);
|
|
});
|
|
});
|